AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of Imran Yousaf
Imran Yousaf
 asked on

Account getting locked in Microsoft CAS server, exchange 2013

One account in our domain is getting locked again and again , from active directory  i used three tool to find out the source and all tools show that the workstation is our CAS server .i shut down the client machine and account got locked within half an hour after shutting down. the tool i used are "Account lockout status" , "Netwrix Account lockout Examiner" and "Manage engine ADAudit Plus" also event viewer on AD  is showing the log as below

Kerberos pre-authentication failed.
Account Information:
      Security ID:            MIC\ofekry
      Account Name:            ofekry

Service Information:
      Service Name:            krbtgt/mic

Network Information:
      Client Address:            ::ffff:--.--.--.--    (CAS server Address)
      Client Port:            60818

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
if the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

I also logged in to the CAS server and executed the command in exchange shell and below is the result

[PS] C:\Windows\system32>Get-ActiveSyncDeviceStatistics -Mailbox ofekry
Creating a new session for implicit remoting of "Get-ActiveSyncDeviceStatistics" command...
WARNING: The Get-ActiveSyncDeviceStatistics cmdlet will be removed in a future version of Exchange. Use the
Get-MobileDeviceStatistics cmdlet instead. If you have any scripts that use the Get-ActiveSyncDeviceStatistics cmdlet,
update them to use the Get-MobileDeviceStatistics cmdlet.  For more information, see
http://go.microsoft.com/fwlink/p/?LinkId=254711.


RunspaceId                    : 4a009f23-d25f-4e9c-b867-b8cd83259dbd
DeviceActiveSyncVersion       : 14.1
FirstSyncTime                 : 3/24/2015 11:52:50 AM
LastPolicyUpdateTime          : 11/2/2015 1:58:06 PM
LastSyncAttemptTime           : 9/18/2016 7:09:18 AM
LastSuccessSync               : 9/18/2016 7:09:18 AM
DeviceType                    : iPhone
DeviceID                      : A0BEPH6S8L3IB9LNNUJSK9EBE8
DeviceUserAgent               : Apple-iPhone7C2/1401.403
DeviceWipeSentTime            :
DeviceWipeRequestTime         :
DeviceWipeAckTime             :
LastPingHeartbeat             : 900
RecoveryPassword              : ********
DeviceModel                   : iPhone7C2
DeviceImei                    :
DeviceFriendlyName            : iPhone 6
DeviceOS                      : iOS 10.0.1 14A403
DeviceOSLanguage              : en-KW
DevicePhoneNumber             :
MailboxLogReport              :
DeviceEnableOutboundSMS       : False
DeviceMobileOperator          :
Identity                      : MIC.COM.KW/MICOU/UserAccounts/Standard/Finance/Omar
                                Fekry/ExchangeActiveSyncDevices/iPhone§A0BEPH6S8L3IB9LNNUJSK9EBE8
Guid                          : ce703a7d-dc6c-4d45-be23-49b65e59da7a
IsRemoteWipeSupported         : True
Status                        : DeviceOk
StatusNote                    :
DeviceAccessState             : Allowed
DeviceAccessStateReason       : Global
DeviceAccessControlRule       :
DevicePolicyApplied           : Default
DevicePolicyApplicationStatus : AppliedInFull
LastDeviceWipeRequestor       :
NumberOfFoldersSynced         : 8
SyncStateUpgradeTime          :
ClientType                    : EAS
IsValid                       : True
ObjectState                   : Unchanged

RunspaceId                    : 4a009f23-d25f-4e9c-b867-b8cd83259dbd
DeviceActiveSyncVersion       : 14.1
FirstSyncTime                 : 12/16/2014 1:01:09 PM
LastPolicyUpdateTime          : 12/17/2014 3:31:21 AM
LastSyncAttemptTime           : 3/24/2015 7:36:10 PM
LastSuccessSync               : 3/24/2015 7:36:10 PM
DeviceType                    : SAMSUNGGTI9500
DeviceID                      : SEC12B0DAB3C46E7
DeviceUserAgent               : SAMSUNG-GT-I9500/101.40402
DeviceWipeSentTime            :
DeviceWipeRequestTime         :
DeviceWipeAckTime             :
LastPingHeartbeat             : 470
RecoveryPassword              : ********
DeviceModel                   : GT-I9500
DeviceImei                    : 357138055578543
DeviceFriendlyName            : ja3gxx
DeviceOS                      : Android
DeviceOSLanguage              : English
DevicePhoneNumber             :
MailboxLogReport              :
DeviceEnableOutboundSMS       : False
DeviceMobileOperator          :
Identity                      : MIC.COM.KW/MICOU/UserAccounts/Standard/Finance/Omar
                                Fekry/ExchangeActiveSyncDevices/SAMSUNGGTI9500§SEC12B0DAB3C46E7
Guid                          : f6647896-964a-4bfe-8804-7f84a1832ca3
IsRemoteWipeSupported         : True
Status                        : DeviceOk
StatusNote                    :
DeviceAccessState             : Allowed
DeviceAccessStateReason       : Global
DeviceAccessControlRule       :
DevicePolicyApplied           : Default
DevicePolicyApplicationStatus : AppliedInFull
LastDeviceWipeRequestor       :
NumberOfFoldersSynced         : 7
SyncStateUpgradeTime          : 12/16/2014 1:17:20 PM
ClientType                    : EAS
IsValid                       : True
ObjectState                   : Unchanged


As you can see that the last successful sync was on 18th of last month because i removed the account from his mobile . so the mobile is not the source

So basically i have 2 questions
first question :  Is there a way to find out what is trying to authenticate from exchange, i mean is it a mobile device or a machine with  ms outlook or web access or any other device that require authentication . in short i want to know the type of authentication if possible like type 1 = outlook , type 2 = mobile device , type 3 = webaccess etc etc.
second question : how can i find out the source address of device or machine who is trying to get authenticated from exchange

also note that as i mention above ,the source machine of locked account is Exchange server and not the client machine also i shutdown the client machine and still the account got locked which means that client machine is not initiating authentication request .

Please help me in diagnosing the said account lockout issue.

Regards

Imran.
ExchangeEmail Servers
Avatar of undefined
Last Comment
Imran Yousaf
8/22/2022 - Mon
SOLUTION
Scott C
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Sudeep Sharma
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Albert Widjaja
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Imran Yousaf
ASKER
Dear ScottCha,

I ran the command and couldn't find any result . below is the output

[PS] C:\Windows\system32>Get-ActiveSyncDevice -Identity "ofekry"
The mobile device ofekry cannot be found.
    + CategoryInfo          : NotSpecified: (:) [Get-ActiveSyncDevice], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=EXCHANGENODE2,RequestId=68c23e74-4dbd-438f-82ea-2d87b321ba68,TimeStamp=10/5/2016
    5:36:55 AM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 6B80FCB3,Microsoft.Exchange.Management.Tas
  ks.GetActiveSyncDevice
    + PSComputerName        : miccas01.mic.com.kw

[PS] C:\Windows\system32>
Imran Yousaf
ASKER
Dear Sudeep Sharma,

I will download  the log parser now and will share my findings
Imran Yousaf
ASKER
@ ITSystemEngineer

I will remove the email profile and inform you once done
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
Imran Yousaf
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Imran Yousaf
ASKER
open for questions
Scott C
So it was another device as I thought....just not a mobile device.  Glad it"s resolved.

Saved his password on a public machine...  Will users never learn?
Imran Yousaf
ASKER
already provided
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent